The Evolving Face of Web Security

When I was a boy growing up in New Jersey, the basement in our older family home would flood several times a year. It was on a concrete slab and usually dried out after a few days, so it was okay. I came home from college one weekend and upon hearing my mom say she was going to carpet the basement, I reminded her of the periodic floods. She looked me in the eye and said, "Dammit Alan, I’m doing the best I can."

The analogy that I’d like to draw is between my mom’s futile desire to make the house a bit nicer and the impossible world of security. Both seem so daunting – my mom didn’t know how to keep the basement dry, and most business owners are equally helpless in keeping professional hackers at bay. With so much written about security, and so many high-profile security breaches in the news, it is no wonder that small businesses are frozen with indecision. Where does one start, and will any efforts even make a difference?

My mom’s basement could have been water-proofed with a few sump pumps and a battery backup. It wouldn’t have made it through the recent onslaught of Hurricane Sandy, but it would have kept the carpet dry for a few years. On the security side, many of the largest players in the security business publish comprehensive reports that define security breach trends. These can act as remediation roadmaps, not effective to avoid an attack from a really persistent hacker, but certainly to thwart attackers working on the ‘low hanging fruit’ theory of life.

While we’ll go through some of the more interesting report tidbits below, I’d like to start by encouraging you to look at the Verizon 2012 Data Breach Investigations Report with its great analysis off 855 incidents and 174 million compromised records that that highlight recent web security problems. If you have the time, I would also suggest reading the Microsoft, Cisco and Trustwave reports, as well. Keep the bigger view in mind, think about the trends in terms of you own business, and, for gosh sake, figure out if you are wandering around with that ‘hack me now’ note pinned to your back.

As Lewis Carroll's Red Queen said to Alice: "Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!" If you follow security at all, you’ll probably be amazed at the security trends that seem to have emerged overnight, the old chestnuts that seem to last forever and the oldies that have lost their position at the top.

My favorite security factoids from these reports included the following:

1.98% of all breaches stemmed from external agents (source Verizon)

2.81% of all breaches utilized some form of hacking (source Verizon)

3.96% of attacks were not highly difficult (source Verizon)

4.The most common password used by global businesses is “Password1” because it satisfies the default Microsoft Active Directory complexity setting. (source Trustwave)

98% of all breaches stemmed from external agents

Outsiders dominate the scene of corporate data theft. Organized criminals were up to their typical misdeeds and were behind the majority of breaches in 2011. Activist groups created their fair share of misery and mayhem last year, as well, and they stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches. While good old-fashioned greed and avarice were still the prime movers, ideological dissent and schadenfreude took a more prominent role across the caseload. (source Verizon)

It’s not the geeky kid in his mom’s basement that is messing with your data. It’s professionally organized criminals that have set up set up shop in well-funded facilities in hacker-friendly countries across the world. Or it's a group of well organized activists looking to make a political statement that you may not understand even after the security breach is discovered. These are professionals who hack for a living while you are just hoping survive the recession. To say most businesses are outgunned would be an understatement.

81% of all breaches utilized some form of hacking

Incidents involving hacking and malware were both up considerably in 2011, with hacking linked to almost all compromised records. This makes sense, as these threat actions remain the favored tools of external agents, who, as described above, were behind most breaches. Many attacks continue to thwart or circumvent authentication by combining stolen or guessed credentials (to gain access) with backdoors (to retain access). (source Verizon)

This statistic was even more interesting because of the fact that this number is up by 31% over its 2010 counterpart. This amazing rise was supported by an equally dramatic 20% rise in Malware supported breaches. Note also that this rise in hacking related breaches was accompanied by corresponding reductions in successful social engineering and physical attacks.

96% of attacks were not highly difficult

Findings from the past year continue to show that target selection is based more on opportunity than on choice. Most victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack.

Whether targeted or not, the great majority of victims succumbed to attacks that cannot be described as highly difficult. Those that were on the more sophisticated side usually exhibited this trait in later stages of the attack after initial access was gained. Given this, it’s not surprising that most breaches were avoidable (at least in hindsight) with simple and inexpensive countermeasures. Low levels of PCI DSS adherence highlight a plethora of issues across the board for related organizations. (source Verizon)

While at least some evidence of breaches often exists, victims don’t usually discover their own incidents. Third parties usually clue them in, and, unfortunately, that typically happens weeks or months down the road. (Verizon) Not only are businesses being breached with little or no effort, but most don’t even know what they become a security victim. There is no time for security and they are getting eaten alive.

The most common password used by global businesses is “Password1”.

IT administrators should be aware of what passes as a complex password, especially in Active Directory environments. Users can create passwords that meet complexity requirements because they contain the minimum amount of characters and include a couple of character variations. The Active Directory password complexity policy states that a password is required to have a minimum of eight characters and three of the five character types (Lower Case/ Upper Case/Numbers/Special/Unicode.) With that, “Password1” completely adheres to these policies, as does “Password2” and “Password3.” Users are creating passwords that meet the bare minimum requirements for length and character types, to aid with the memorability of the password. (source Trustwave)

Mention ‘passwords’ at your next lunch with friends and chances are you will spend the 15 minutes listening to your friends whine about having to remember passwords and the sneaky ways they have circumvented whatever policies that have been put in place. From the Post-It note on the keyboard at my last client review (I kid you not) to the spouse’s name and birth year (Sally78), people treat passwords like the dark side of Internet use. I found this fascinating in that it points out the fact that even with our best efforts (in this case requiring robust passwords), we still live in a people-centric world. The quote that comes to mind is ‘Bugs in the Human Hardware’.

Conclusion

Every statistic indicates your website has probably been hacked already, and if it hasn’t already been, it will soon be. You won’t be aware of it until some outside points it out to you. You have an obligation to you business and most certainly your clients to do more than ignore the possibility. Take a look at the reports noted above and take at least a few pro-active steps to become more than just a target of opportunity.

Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.